You didn’t come here from Google

That’s because I’m currently not being indexed by Google. Two weeks ago Google dropped this site from their search results because of the number of spam links I had on my pages. I did not put them there, of course, and I tried multiple times to get rid of them, but hackers kept coming back […]

That’s because I’m currently not being indexed by Google.

Two weeks ago Google dropped this site from their search results because of the number of spam links I had on my pages. I did not put them there, of course, and I tried multiple times to get rid of them, but hackers kept coming back to the site and thoughtfully adding them back again.

It turns out that they were the result of someone exploiting a well-known WordPress hack. Hackers were literally overwriting php scripts on my web server so that when people requested pages, tons of spam links were inserted into the result. Several people told me that this was happening, so I diligently overwrote the files in question (header.php, footer.php). Then, the next day someone else would tell me that it was happening (again), and I would fix it (again). I want to thank everyone who helped out…I truly appreciate you letting me know when this was occurring.

So then when Google crawled the site, they assumed I was a spam site and de-listed me. Literally overnight, I’m losing 300-400 visits per day. If you search on “Joshua Porter” or “bokardo”, you will not find this site. I’ve been the top link for those two terms for years.

From a technical standpoint, this is quite boring. But from a social design standpoint, the situation is quite interesting.

Obviously, if I met these hackers in real life, I would have choice words for them. Among other things, I would ask them to stop. And, if their identities were known, their behavior would also likely stop. Not just because of any warning or threat I could come up with, but because they would feel pressure from society to stop. Social norms would moderate their behavior better than anything I could do.

This is how behavior normally works. Most people don’t act out badly because of fear of getting caught and punished…although that certainly has an effect. Most people behave well because of how they’ll be treated afterward by society when they do something bad. The effect of our social groups is as strong as any threat of punishment.

In order to design software where people behave, the best practice is to tie identity to behavior. Once these two things are known, and related to each other, then social norms can kick in.

My question: if everything we do on the web is recorded somewhere…why can’t this sort of thing be stopped? I’m sure it’s a very small population of people who are doing this…why can’t someone reverse engineer the request to my web server and find out where it came from? Is that possible?

My guess is that it is possible, but involved. It probably gets done when a serious crime is committed, but not when the pain is seeing some spam links or getting de-indexed from Google. I would probably have to pay someone to do it.

Also, I would presume that other people using WordPress are also having this problem. Couldn’t we set up a tracking system (much like a bug-tracking system) that catalogues these breaches? Then we would see how widespread they are, and we might gain some momentum in combatting them. Maybe the perpetrators are a small group or a small number of individuals?

At this point, however, I’m not sure what I can do. I’ve upgraded to the latest WordPress, and that seems to have stemmed the flow of hacks temporarily. But this is going to happen again and again. Do I simply get into an arms race with the hackers and hope that I can outpace them?

How can I be sure that Google is even going to return to the site? Perhaps they’ve seen spam so long on my site that it’s now blacklisted?

Anyway, I think the root of this problem is social as much as technological. The available solutions, however, seem mostly technological. Any advice/thoughts you have on the matter would be greatly appreciated.